[thirdparty/openssl.git] / crypto / x509 / x509_vpm.c

/* x509_vpm.c */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
/* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>

#include "cryptlib.h"
#include <openssl/crypto.h>
#include <openssl/lhash.h>
#include <openssl/buffer.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

#include "x509_lcl.h"

/* X509_VERIFY_PARAM functions */

#define SET_HOST 0
#define ADD_HOST 1

static char *str_copy(const char *s) { return OPENSSL_strdup(s); }
static void str_free(char *s) { OPENSSL_free(s); }

#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free)

static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
				    const unsigned char *name, size_t namelen)
	{
	char *copy;

	/*
	 * Refuse names with embedded NUL bytes, except perhaps as final byte.
	 * XXX: Do we need to push an error onto the error stack?
	 */
	if (namelen == 0)
		namelen = name ? strlen((char *)name) : 0;
	else if (name && memchr(name, '\0', namelen > 1 ? namelen-1 : namelen))
		 return 0;
	if (name && name[namelen-1] == '\0')
		--namelen;

	if (mode == SET_HOST && id->hosts)
		{
		string_stack_free(id->hosts);
		id->hosts = NULL;
		}
	if (name == NULL || namelen == 0)
		return 1;

	copy = BUF_strndup((char *)name, namelen);
	if (copy == NULL)
		return 0;

	if (id->hosts == NULL &&
	    (id->hosts = sk_OPENSSL_STRING_new_null()) == NULL)
		{
		OPENSSL_free(copy);
		return 0;
		}

	if (!sk_OPENSSL_STRING_push(id->hosts, copy))
		{
		OPENSSL_free(copy);
		if (sk_OPENSSL_STRING_num(id->hosts) == 0)
			{
			sk_OPENSSL_STRING_free(id->hosts);
			id->hosts = NULL;
			}
		return 0;
		}

	return 1;
	}

static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
	{
	X509_VERIFY_PARAM_ID *paramid;
	if (!param)
		return;
	param->name = NULL;
	param->purpose = 0;
	param->trust = 0;
	/*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
	param->inh_flags = 0;
	param->flags = 0;
	param->depth = -1;
	if (param->policies)
		{
		sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
		param->policies = NULL;
		}
	paramid = param->id;
	if (paramid->hosts)
		{
		string_stack_free(paramid->hosts);
		paramid->hosts = NULL;
		}
	if (paramid->peername)
		OPENSSL_free(paramid->peername);
	if (paramid->email)
		{
		OPENSSL_free(paramid->email);
		paramid->email = NULL;
		paramid->emaillen = 0;
		}
	if (paramid->ip)
		{
		OPENSSL_free(paramid->ip);
		paramid->ip = NULL;
		paramid->iplen = 0;
		}

	}

X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
	{
	X509_VERIFY_PARAM *param;
	X509_VERIFY_PARAM_ID *paramid;
	param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
	if (!param)
		return NULL;
	paramid = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
	if (!paramid)
		{
		OPENSSL_free(param);
		return NULL;
		}
	memset(param, 0, sizeof(X509_VERIFY_PARAM));
	memset(paramid, 0, sizeof(X509_VERIFY_PARAM_ID));
	param->id = paramid;
	x509_verify_param_zero(param);
	return param;
	}

void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
	{
	x509_verify_param_zero(param);
	OPENSSL_free(param->id);
	OPENSSL_free(param);
	}

/* This function determines how parameters are "inherited" from one structure
 * to another. There are several different ways this can happen.
 *
 * 1. If a child structure needs to have its values initialized from a parent
 *    they are simply copied across. For example SSL_CTX copied to SSL.
 * 2. If the structure should take on values only if they are currently unset.
 *    For example the values in an SSL structure will take appropriate value
 *    for SSL servers or clients but only if the application has not set new
 *    ones.
 *
 * The "inh_flags" field determines how this function behaves. 
 *
 * Normally any values which are set in the default are not copied from the
 * destination and verify flags are ORed together.
 *
 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
 * to the destination. Effectively the values in "to" become default values
 * which will be used only if nothing new is set in "from".
 *
 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
 * they are set or not. Flags is still Ored though.
 *
 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
 * of ORed.
 *
 * If X509_VP_FLAG_LOCKED is set then no values are copied.
 *
 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
 * after the next call.
 */

/* Macro to test if a field should be copied from src to dest */

#define test_x509_verify_param_copy(field, def) \
	(to_overwrite || \
		((src->field != def) && (to_default || (dest->field == def))))

/* As above but for ID fields */

#define test_x509_verify_param_copy_id(idf, def) \
	test_x509_verify_param_copy(id->idf, def)

/* Macro to test and copy a field if necessary */

#define x509_verify_param_copy(field, def) \
	if (test_x509_verify_param_copy(field, def)) \
		dest->field = src->field


int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
						const X509_VERIFY_PARAM *src)
	{
	unsigned long inh_flags;
	int to_default, to_overwrite;
	X509_VERIFY_PARAM_ID *id;
	if (!src)
		return 1;
	id = src->id;
	inh_flags = dest->inh_flags | src->inh_flags;

	if (inh_flags & X509_VP_FLAG_ONCE)
		dest->inh_flags = 0;

	if (inh_flags & X509_VP_FLAG_LOCKED)
		return 1;

	if (inh_flags & X509_VP_FLAG_DEFAULT)
		to_default = 1;
	else
		to_default = 0;

	if (inh_flags & X509_VP_FLAG_OVERWRITE)
		to_overwrite = 1;
	else
		to_overwrite = 0;

	x509_verify_param_copy(purpose, 0);
	x509_verify_param_copy(trust, 0);
	x509_verify_param_copy(depth, -1);

	/* If overwrite or check time not set, copy across */

	if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
		{
		dest->check_time = src->check_time;
		dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
		/* Don't need to copy flag: that is done below */
		}

	if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
		dest->flags = 0;

	dest->flags |= src->flags;

	if (test_x509_verify_param_copy(policies, NULL))
		{
		if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
			return 0;
		}

	/* Copy the host flags if and only if we're copying the host list */
	if (test_x509_verify_param_copy_id(hosts, NULL))
		{
		if (dest->id->hosts)
			{
			string_stack_free(dest->id->hosts);
			dest->id->hosts = NULL;
			}
		if (id->hosts)
			{
			dest->id->hosts =
			    sk_OPENSSL_STRING_deep_copy(id->hosts,
							str_copy, str_free);
			if (dest->id->hosts == NULL)
				return 0;
			dest->id->hostflags = id->hostflags;
			}
		}

	if (test_x509_verify_param_copy_id(email, NULL))
		{
		if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen))
			return 0;
		}

	if (test_x509_verify_param_copy_id(ip, NULL))
		{
		if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
			return 0;
		}

	return 1;
	}

int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
						const X509_VERIFY_PARAM *from)
	{
	unsigned long save_flags = to->inh_flags;
	int ret;
	to->inh_flags |= X509_VP_FLAG_DEFAULT;
	ret = X509_VERIFY_PARAM_inherit(to, from);
	to->inh_flags = save_flags;
	return ret;
	}

static int int_x509_param_set1(unsigned char **pdest, size_t *pdestlen,
				const unsigned char *src, size_t srclen)
	{
	void *tmp;
	if (src)
		{
		if (srclen == 0)
			{
			tmp = BUF_strdup((char *)src);
			srclen = strlen((char *)src);
			}
		else
			tmp = BUF_memdup(src, srclen);
		if (!tmp)
			return 0;
		}
	else
		{
		tmp = NULL;
		srclen = 0;
		}
	if (*pdest)
		OPENSSL_free(*pdest);
	*pdest = tmp;
	if (pdestlen)
		*pdestlen = srclen;
	return 1;
	}

int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
	{
	if (param->name)
		OPENSSL_free(param->name);
	param->name = BUF_strdup(name);
	if (param->name)
		return 1;
	return 0;
	}

int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
	{
	param->flags |= flags;
	if (flags & X509_V_FLAG_POLICY_MASK)
		param->flags |= X509_V_FLAG_POLICY_CHECK;
	return 1;
	}

int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
	{
	param->flags &= ~flags;
	return 1;
	}

unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
	{
	return param->flags;
	}

int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
	{
	return X509_PURPOSE_set(&param->purpose, purpose);
	}

int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
	{
	return X509_TRUST_set(&param->trust, trust);
	}

void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
	{
	param->depth = depth;
	}

void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
	{
	param->check_time = t;
	param->flags |= X509_V_FLAG_USE_CHECK_TIME;
	}

int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
	{
	if (!param->policies)
		{
		param->policies = sk_ASN1_OBJECT_new_null();
		if (!param->policies)
			return 0;
		}
	if (!sk_ASN1_OBJECT_push(param->policies, policy))
		return 0;
	return 1;
	}

int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 
					STACK_OF(ASN1_OBJECT) *policies)
	{
	int i;
	ASN1_OBJECT *oid, *doid;
	if (!param)
		return 0;
	if (param->policies)
		sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);

	if (!policies)
		{
		param->policies = NULL;
		return 1;
		}

	param->policies = sk_ASN1_OBJECT_new_null();
	if (!param->policies)
		return 0;

	for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
		{
		oid = sk_ASN1_OBJECT_value(policies, i);
		doid = OBJ_dup(oid);
		if (!doid)
			return 0;
		if (!sk_ASN1_OBJECT_push(param->policies, doid))
			{
			ASN1_OBJECT_free(doid);
			return 0;
			}
		}
	param->flags |= X509_V_FLAG_POLICY_CHECK;
	return 1;
	}

int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
				const unsigned char *name, size_t namelen)
	{
	return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen);
	}

int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
				const unsigned char *name, size_t namelen)
	{
	return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen);
	}

void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
					unsigned int flags)
	{
	param->id->hostflags = flags;
	}

char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
	{
	return param->id->peername;
	}

int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
				const unsigned char *email, size_t emaillen)
	{
	return int_x509_param_set1(&param->id->email, &param->id->emaillen,
					email, emaillen);
	}

int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
					const unsigned char *ip, size_t iplen)
	{
	if (iplen != 0 && iplen != 4 && iplen != 16)
		return 0;
	return int_x509_param_set1(&param->id->ip, &param->id->iplen, ip, iplen);
	}

int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
	{
	unsigned char ipout[16];
	int iplen;
	iplen = a2i_ipadd(ipout, ipasc);
	if (iplen == 0)
		return 0;
	return X509_VERIFY_PARAM_set1_ip(param, ipout, (size_t)iplen);
	}

int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
	{
	return param->depth;
	}

const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
	{
	return param->name;
	}

static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, NULL, 0, NULL, 0};

#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id


/* Default verify parameters: these are used for various
 * applications and can be overridden by the user specified table.
 * NB: the 'name' field *must* be in alphabetical order because it
 * will be searched using OBJ_search.
 */

static const X509_VERIFY_PARAM default_table[] = {
	{
	"default",	/* X509 default parameters */
	0,		/* Check time */
	0,		/* internal flags */
	0,		/* flags */
	0,		/* purpose */
	0,		/* trust */
	100,		/* depth */
	NULL,		/* policies */
	vpm_empty_id
	},
	{
	"pkcs7",			/* S/MIME sign parameters */
	0,				/* Check time */
	0,				/* internal flags */
	0,				/* flags */
	X509_PURPOSE_SMIME_SIGN,	/* purpose */
	X509_TRUST_EMAIL,		/* trust */
	-1,				/* depth */
	NULL,				/* policies */
	vpm_empty_id
	},
	{
	"smime_sign",			/* S/MIME sign parameters */
	0,				/* Check time */
	0,				/* internal flags */
	0,				/* flags */
	X509_PURPOSE_SMIME_SIGN,	/* purpose */
	X509_TRUST_EMAIL,		/* trust */
	-1,				/* depth */
	NULL,				/* policies */
	vpm_empty_id
	},
	{
	"ssl_client",			/* SSL/TLS client parameters */
	0,				/* Check time */
	0,				/* internal flags */
	0,				/* flags */
	X509_PURPOSE_SSL_CLIENT,	/* purpose */
	X509_TRUST_SSL_CLIENT,		/* trust */
	-1,				/* depth */
	NULL,				/* policies */
	vpm_empty_id
	},
	{
	"ssl_server",			/* SSL/TLS server parameters */
	0,				/* Check time */
	0,				/* internal flags */
	0,				/* flags */
	X509_PURPOSE_SSL_SERVER,	/* purpose */
	X509_TRUST_SSL_SERVER,		/* trust */
	-1,				/* depth */
	NULL,				/* policies */
	vpm_empty_id
	}};

static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;

static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)

	{
	return strcmp(a->name, b->name);
	}

DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
			   table);
IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
			     table);

static int param_cmp(const X509_VERIFY_PARAM * const *a,
			const X509_VERIFY_PARAM * const *b)
	{
	return strcmp((*a)->name, (*b)->name);
	}

int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
	{
	int idx;
	X509_VERIFY_PARAM *ptmp;
	if (!param_table)
		{
		param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
		if (!param_table)
			return 0;
		}
	else
		{
		idx = sk_X509_VERIFY_PARAM_find(param_table, param);
		if (idx != -1)
			{
			ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
			X509_VERIFY_PARAM_free(ptmp);
			(void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
			}
		}
	if (!sk_X509_VERIFY_PARAM_push(param_table, param))
		return 0;
	return 1;
	}

int X509_VERIFY_PARAM_get_count(void)
	{
	int num = sizeof(default_table)/sizeof(X509_VERIFY_PARAM);
	if (param_table)
		num += sk_X509_VERIFY_PARAM_num(param_table);
	return num;
	}

const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
	{
	int num = sizeof(default_table)/sizeof(X509_VERIFY_PARAM);
	if (id < num)
		return default_table + id;
	return sk_X509_VERIFY_PARAM_value(param_table, id - num);
	}

const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
	{
	int idx;
	X509_VERIFY_PARAM pm;

	pm.name = (char *)name;
	if (param_table)
		{
		idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
		if (idx != -1)
			return sk_X509_VERIFY_PARAM_value(param_table, idx);
		}
	return OBJ_bsearch_table(&pm, default_table,
			   sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
	}

void X509_VERIFY_PARAM_table_cleanup(void)
	{
	if (param_table)
		sk_X509_VERIFY_PARAM_pop_free(param_table,
						X509_VERIFY_PARAM_free);
	param_table = NULL;
	}
Commit	Line	Data
5d7c222d	1	/* x509_vpm.c */
2e597528	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5d7c222d DSH	3	* project 2004.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 2004 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
	59	#include <stdio.h>
	60
	61	#include "cryptlib.h"
	62	#include <openssl/crypto.h>
	63	#include <openssl/lhash.h>
	64	#include <openssl/buffer.h>
	65	#include <openssl/x509.h>
	66	#include <openssl/x509v3.h>
67
6c21b860	68	#include "x509_lcl.h"
4a253652	69
5d7c222d DSH	70	/* X509_VERIFY_PARAM functions */
5d7c222d DSH	71
8abffa4a VD	72	#define SET_HOST 0
	73	#define ADD_HOST 1
	74
	75	static char str_copy(const char s) { return OPENSSL_strdup(s); }
	76	static void str_free(char *s) { OPENSSL_free(s); }
	77
	78	#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free)
	79
	80	static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
	81	const unsigned char *name, size_t namelen)
	82	{
	83	char *copy;
	84
	85	/*
	86	* Refuse names with embedded NUL bytes, except perhaps as final byte.
	87	* XXX: Do we need to push an error onto the error stack?
	88	*/
	89	if (namelen == 0)
	90	namelen = name ? strlen((char *)name) : 0;
	91	else if (name && memchr(name, '\0', namelen > 1 ? namelen-1 : namelen))
	92	return 0;
	93	if (name && name[namelen-1] == '\0')
	94	--namelen;
	95
	96	if (mode == SET_HOST && id->hosts)
	97	{
	98	string_stack_free(id->hosts);
	99	id->hosts = NULL;
	100	}
	101	if (name == NULL \|\| namelen == 0)
	102	return 1;
	103
	104	copy = BUF_strndup((char *)name, namelen);
	105	if (copy == NULL)
	106	return 0;
	107
	108	if (id->hosts == NULL &&
	109	(id->hosts = sk_OPENSSL_STRING_new_null()) == NULL)
	110	{
	111	OPENSSL_free(copy);
	112	return 0;
	113	}
	114
	115	if (!sk_OPENSSL_STRING_push(id->hosts, copy))
	116	{
	117	OPENSSL_free(copy);
	118	if (sk_OPENSSL_STRING_num(id->hosts) == 0)
	119	{
	120	sk_OPENSSL_STRING_free(id->hosts);
	121	id->hosts = NULL;
	122	}
	123	return 0;
	124	}
	125
	126	return 1;
	127	}
	128
5d7c222d DSH	129	static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
5d7c222d DSH	130	{
4a253652	131	X509_VERIFY_PARAM_ID *paramid;
5d7c222d DSH	132	if (!param)
	133	return;
	134	param->name = NULL;
	135	param->purpose = 0;
	136	param->trust = 0;
237d7b6c DSH	137	/param->inh_flags = X509_VP_FLAG_DEFAULT;/
237d7b6c DSH	138	param->inh_flags = 0;
5d7c222d DSH	139	param->flags = 0;
	140	param->depth = -1;
	141	if (param->policies)
	142	{
	143	sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
	144	param->policies = NULL;
	145	}
4a253652	146	paramid = param->id;
8abffa4a	147	if (paramid->hosts)
3bf15e29	148	{
8abffa4a VD	149	string_stack_free(paramid->hosts);
8abffa4a VD	150	paramid->hosts = NULL;
3bf15e29	151	}
6e661d45 VD	152	if (paramid->peername)
6e661d45 VD	153	OPENSSL_free(paramid->peername);
4a253652	154	if (paramid->email)
3bf15e29	155	{
4a253652 DSH	156	OPENSSL_free(paramid->email);
	157	paramid->email = NULL;
	158	paramid->emaillen = 0;
3bf15e29	159	}
4a253652	160	if (paramid->ip)
3bf15e29	161	{
4a253652 DSH	162	OPENSSL_free(paramid->ip);
	163	paramid->ip = NULL;
	164	paramid->iplen = 0;
3bf15e29	165	}
4a253652	166
5d7c222d DSH	167	}
	168
	169	X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
	170	{
	171	X509_VERIFY_PARAM *param;
4a253652	172	X509_VERIFY_PARAM_ID *paramid;
5d7c222d	173	param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
4a253652 DSH	174	if (!param)
	175	return NULL;
	176	paramid = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
	177	if (!paramid)
	178	{
	179	OPENSSL_free(param);
	180	return NULL;
	181	}
5d7c222d	182	memset(param, 0, sizeof(X509_VERIFY_PARAM));
4a253652 DSH	183	memset(paramid, 0, sizeof(X509_VERIFY_PARAM_ID));
4a253652 DSH	184	param->id = paramid;
5d7c222d DSH	185	x509_verify_param_zero(param);
	186	return param;
	187	}
	188
	189	void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
	190	{
	191	x509_verify_param_zero(param);
4a253652	192	OPENSSL_free(param->id);
5d7c222d DSH	193	OPENSSL_free(param);
	194	}
	195
	196	/* This function determines how parameters are "inherited" from one structure
	197	* to another. There are several different ways this can happen.
	198	*
	199	* 1. If a child structure needs to have its values initialized from a parent
	200	* they are simply copied across. For example SSL_CTX copied to SSL.
	201	* 2. If the structure should take on values only if they are currently unset.
	202	* For example the values in an SSL structure will take appropriate value
	203	* for SSL servers or clients but only if the application has not set new
	204	* ones.
	205	*
	206	* The "inh_flags" field determines how this function behaves.
	207	*
	208	* Normally any values which are set in the default are not copied from the
	209	* destination and verify flags are ORed together.
	210	*
	211	* If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
	212	* to the destination. Effectively the values in "to" become default values
	213	* which will be used only if nothing new is set in "from".
	214	*
	215	* If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
	216	* they are set or not. Flags is still Ored though.
	217	*
	218	* If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
	219	* of ORed.
	220	*
	221	* If X509_VP_FLAG_LOCKED is set then no values are copied.
	222	*
	223	* If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
	224	* after the next call.
	225	*/
	226
	227	/* Macro to test if a field should be copied from src to dest */
	228
	229	#define test_x509_verify_param_copy(field, def) \
	230	(to_overwrite \|\| \
	231	((src->field != def) && (to_default \|\| (dest->field == def))))
	232
4a253652 DSH	233	/* As above but for ID fields */
	234
	235	#define test_x509_verify_param_copy_id(idf, def) \
	236	test_x509_verify_param_copy(id->idf, def)
	237
5d7c222d DSH	238	/* Macro to test and copy a field if necessary */
	239
	240	#define x509_verify_param_copy(field, def) \
	241	if (test_x509_verify_param_copy(field, def)) \
	242	dest->field = src->field
4a253652	243
5d7c222d DSH	244
	245	int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
	246	const X509_VERIFY_PARAM *src)
	247	{
	248	unsigned long inh_flags;
	249	int to_default, to_overwrite;
4a253652	250	X509_VERIFY_PARAM_ID *id;
5d7c222d DSH	251	if (!src)
5d7c222d DSH	252	return 1;
4a253652	253	id = src->id;
5d7c222d DSH	254	inh_flags = dest->inh_flags \| src->inh_flags;
	255
	256	if (inh_flags & X509_VP_FLAG_ONCE)
	257	dest->inh_flags = 0;
	258
	259	if (inh_flags & X509_VP_FLAG_LOCKED)
	260	return 1;
	261
	262	if (inh_flags & X509_VP_FLAG_DEFAULT)
	263	to_default = 1;
	264	else
	265	to_default = 0;
	266
	267	if (inh_flags & X509_VP_FLAG_OVERWRITE)
	268	to_overwrite = 1;
	269	else
	270	to_overwrite = 0;
	271
	272	x509_verify_param_copy(purpose, 0);
	273	x509_verify_param_copy(trust, 0);
	274	x509_verify_param_copy(depth, -1);
	275
e881f617 DSH	276	/* If overwrite or check time not set, copy across */
	277
	278	if (to_overwrite \|\| !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
	279	{
	280	dest->check_time = src->check_time;
	281	dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
	282	/* Don't need to copy flag: that is done below */
	283	}
	284
5d7c222d DSH	285	if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
	286	dest->flags = 0;
	287
	288	dest->flags \|= src->flags;
	289
	290	if (test_x509_verify_param_copy(policies, NULL))
	291	{
	292	if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
	293	return 0;
	294	}
	295
8abffa4a VD	296	/* Copy the host flags if and only if we're copying the host list */
8abffa4a VD	297	if (test_x509_verify_param_copy_id(hosts, NULL))
3bf15e29	298	{
8abffa4a VD	299	if (dest->id->hosts)
	300	{
	301	string_stack_free(dest->id->hosts);
	302	dest->id->hosts = NULL;
	303	}
	304	if (id->hosts)
	305	{
	306	dest->id->hosts =
	307	sk_OPENSSL_STRING_deep_copy(id->hosts,
	308	str_copy, str_free);
	309	if (dest->id->hosts == NULL)
	310	return 0;
	311	dest->id->hostflags = id->hostflags;
	312	}
3bf15e29 DSH	313	}
3bf15e29 DSH	314
4a253652	315	if (test_x509_verify_param_copy_id(email, NULL))
3bf15e29	316	{
4a253652	317	if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen))
3bf15e29 DSH	318	return 0;
	319	}
	320
4a253652	321	if (test_x509_verify_param_copy_id(ip, NULL))
3bf15e29	322	{
4a253652	323	if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
3bf15e29 DSH	324	return 0;
	325	}
	326
5d7c222d DSH	327	return 1;
	328	}
	329
	330	int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
	331	const X509_VERIFY_PARAM *from)
	332	{
508c5352 DSH	333	unsigned long save_flags = to->inh_flags;
508c5352 DSH	334	int ret;
5d7c222d	335	to->inh_flags \|= X509_VP_FLAG_DEFAULT;
508c5352 DSH	336	ret = X509_VERIFY_PARAM_inherit(to, from);
	337	to->inh_flags = save_flags;
	338	return ret;
5d7c222d DSH	339	}
5d7c222d DSH	340
3bf15e29 DSH	341	static int int_x509_param_set1(unsigned char *pdest, size_t pdestlen,
	342	const unsigned char *src, size_t srclen)
	343	{
	344	void *tmp;
	345	if (src)
	346	{
	347	if (srclen == 0)
	348	{
	349	tmp = BUF_strdup((char *)src);
	350	srclen = strlen((char *)src);
	351	}
	352	else
	353	tmp = BUF_memdup(src, srclen);
	354	if (!tmp)
	355	return 0;
	356	}
	357	else
	358	{
	359	tmp = NULL;
	360	srclen = 0;
	361	}
	362	if (*pdest)
	363	OPENSSL_free(*pdest);
	364	*pdest = tmp;
	365	if (pdestlen)
	366	*pdestlen = srclen;
	367	return 1;
	368	}
	369
5d7c222d DSH	370	int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM param, const char name)
	371	{
	372	if (param->name)
	373	OPENSSL_free(param->name);
	374	param->name = BUF_strdup(name);
	375	if (param->name)
	376	return 1;
	377	return 0;
	378	}
	379
	380	int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
	381	{
	382	param->flags \|= flags;
	383	if (flags & X509_V_FLAG_POLICY_MASK)
	384	param->flags \|= X509_V_FLAG_POLICY_CHECK;
	385	return 1;
	386	}
	387
f022c177 DSH	388	int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
	389	{
	390	param->flags &= ~flags;
	391	return 1;
	392	}
	393
	394	unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
	395	{
	396	return param->flags;
	397	}
	398
5d7c222d DSH	399	int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
	400	{
	401	return X509_PURPOSE_set(&param->purpose, purpose);
	402	}
	403
	404	int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
	405	{
	406	return X509_TRUST_set(&param->trust, trust);
	407	}
	408
	409	void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
	410	{
	411	param->depth = depth;
	412	}
	413
	414	void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
	415	{
	416	param->check_time = t;
	417	param->flags \|= X509_V_FLAG_USE_CHECK_TIME;
	418	}
	419
	420	int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM param, ASN1_OBJECT policy)
	421	{
	422	if (!param->policies)
	423	{
	424	param->policies = sk_ASN1_OBJECT_new_null();
	425	if (!param->policies)
	426	return 0;
	427	}
	428	if (!sk_ASN1_OBJECT_push(param->policies, policy))
	429	return 0;
	430	return 1;
	431	}
	432
	433	int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
	434	STACK_OF(ASN1_OBJECT) *policies)
	435	{
	436	int i;
	437	ASN1_OBJECT oid, doid;
	438	if (!param)
	439	return 0;
	440	if (param->policies)
	441	sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
	442
	443	if (!policies)
	444	{
	445	param->policies = NULL;
	446	return 1;
	447	}
	448
	449	param->policies = sk_ASN1_OBJECT_new_null();
	450	if (!param->policies)
	451	return 0;
	452
	453	for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
	454	{
	455	oid = sk_ASN1_OBJECT_value(policies, i);
	456	doid = OBJ_dup(oid);
	457	if (!doid)
	458	return 0;
	459	if (!sk_ASN1_OBJECT_push(param->policies, doid))
	460	{
	461	ASN1_OBJECT_free(doid);
	462	return 0;
463	}
464	}
465	param->flags \|= X509_V_FLAG_POLICY_CHECK;
466	return 1;
467	}
468
3bf15e29 DSH	469	int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
	470	const unsigned char *name, size_t namelen)
	471	{
8abffa4a VD	472	return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen);
	473	}
	474
	475	int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
	476	const unsigned char *name, size_t namelen)
	477	{
	478	return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen);
3bf15e29 DSH	479	}
3bf15e29 DSH	480
397a8e74 VD	481	void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
	482	unsigned int flags)
	483	{
	484	param->id->hostflags = flags;
	485	}
	486
6e661d45 VD	487	char X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM param)
	488	{
	489	return param->id->peername;
	490	}
	491
3bf15e29 DSH	492	int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
	493	const unsigned char *email, size_t emaillen)
	494	{
4a253652	495	return int_x509_param_set1(&param->id->email, &param->id->emaillen,
3bf15e29 DSH	496	email, emaillen);
	497	}
	498
	499	int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
	500	const unsigned char *ip, size_t iplen)
	501	{
	502	if (iplen != 0 && iplen != 4 && iplen != 16)
	503	return 0;
4a253652	504	return int_x509_param_set1(&param->id->ip, &param->id->iplen, ip, iplen);
3bf15e29 DSH	505	}
	506
	507	int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM param, const char ipasc)
	508	{
	509	unsigned char ipout[16];
	510	int iplen;
	511	iplen = a2i_ipadd(ipout, ipasc);
	512	if (iplen == 0)
	513	return 0;
	514	return X509_VERIFY_PARAM_set1_ip(param, ipout, (size_t)iplen);
	515	}
	516
5d7c222d DSH	517	int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
	518	{
	519	return param->depth;
	520	}
	521
9b3d7570 DSH	522	const char X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM param)
	523	{
	524	return param->name;
	525	}
	526
6e661d45	527	static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, NULL, 0, NULL, 0};
4a253652 DSH	528
	529	#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
	530
	531
5d7c222d DSH	532	/* Default verify parameters: these are used for various
	533	* applications and can be overridden by the user specified table.
	534	* NB: the 'name' field must be in alphabetical order because it
	535	* will be searched using OBJ_search.
	536	*/
	537
	538	static const X509_VERIFY_PARAM default_table[] = {
	539	{
	540	"default", /* X509 default parameters */
	541	0, /* Check time */
	542	0, /* internal flags */
	543	0, /* flags */
	544	0, /* purpose */
	545	0, /* trust */
30e5e39a	546	100, /* depth */
4a253652 DSH	547	NULL, /* policies */
4a253652 DSH	548	vpm_empty_id
5d7c222d DSH	549	},
5d7c222d DSH	550	{
237d7b6c DSH	551	"pkcs7", /* S/MIME sign parameters */
	552	0, /* Check time */
	553	0, /* internal flags */
	554	0, /* flags */
	555	X509_PURPOSE_SMIME_SIGN, /* purpose */
	556	X509_TRUST_EMAIL, /* trust */
	557	-1, /* depth */
4a253652 DSH	558	NULL, /* policies */
4a253652 DSH	559	vpm_empty_id
237d7b6c DSH	560	},
	561	{
	562	"smime_sign", /* S/MIME sign parameters */
5d7c222d DSH	563	0, /* Check time */
	564	0, /* internal flags */
	565	0, /* flags */
	566	X509_PURPOSE_SMIME_SIGN, /* purpose */
	567	X509_TRUST_EMAIL, /* trust */
	568	-1, /* depth */
4a253652 DSH	569	NULL, /* policies */
4a253652 DSH	570	vpm_empty_id
5d7c222d DSH	571	},
	572	{
	573	"ssl_client", /* SSL/TLS client parameters */
	574	0, /* Check time */
	575	0, /* internal flags */
	576	0, /* flags */
	577	X509_PURPOSE_SSL_CLIENT, /* purpose */
	578	X509_TRUST_SSL_CLIENT, /* trust */
	579	-1, /* depth */
4a253652 DSH	580	NULL, /* policies */
4a253652 DSH	581	vpm_empty_id
5d7c222d DSH	582	},
	583	{
	584	"ssl_server", /* SSL/TLS server parameters */
	585	0, /* Check time */
	586	0, /* internal flags */
	587	0, /* flags */
	588	X509_PURPOSE_SSL_SERVER, /* purpose */
	589	X509_TRUST_SSL_SERVER, /* trust */
	590	-1, /* depth */
4a253652 DSH	591	NULL, /* policies */
4a253652 DSH	592	vpm_empty_id
5d7c222d DSH	593	}};
	594
	595	static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
	596
babb3798 BL	597	static int table_cmp(const X509_VERIFY_PARAM a, const X509_VERIFY_PARAM b)
babb3798 BL	598
5d7c222d	599	{
5d7c222d DSH	600	return strcmp(a->name, b->name);
	601	}
	602
606f6c47	603	DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
e19106f5	604	table);
606f6c47	605	IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
e19106f5	606	table);
babb3798	607
5d7c222d DSH	608	static int param_cmp(const X509_VERIFY_PARAM * const *a,
	609	const X509_VERIFY_PARAM * const *b)
	610	{
	611	return strcmp((a)->name, (b)->name);
	612	}
	613
	614	int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
	615	{
	616	int idx;
	617	X509_VERIFY_PARAM *ptmp;
	618	if (!param_table)
	619	{
	620	param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
	621	if (!param_table)
	622	return 0;
	623	}
	624	else
	625	{
	626	idx = sk_X509_VERIFY_PARAM_find(param_table, param);
	627	if (idx != -1)
	628	{
	629	ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
	630	X509_VERIFY_PARAM_free(ptmp);
a6fbcb42	631	(void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
5d7c222d DSH	632	}
	633	}
	634	if (!sk_X509_VERIFY_PARAM_push(param_table, param))
	635	return 0;
	636	return 1;
	637	}
	638
9b3d7570 DSH	639	int X509_VERIFY_PARAM_get_count(void)
	640	{
	641	int num = sizeof(default_table)/sizeof(X509_VERIFY_PARAM);
	642	if (param_table)
	643	num += sk_X509_VERIFY_PARAM_num(param_table);
	644	return num;
	645	}
	646
	647	const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
	648	{
	649	int num = sizeof(default_table)/sizeof(X509_VERIFY_PARAM);
	650	if (id < num)
	651	return default_table + id;
	652	return sk_X509_VERIFY_PARAM_value(param_table, id - num);
	653	}
	654
5d7c222d DSH	655	const X509_VERIFY_PARAM X509_VERIFY_PARAM_lookup(const char name)
	656	{
	657	int idx;
	658	X509_VERIFY_PARAM pm;
babb3798	659
5d7c222d DSH	660	pm.name = (char *)name;
	661	if (param_table)
	662	{
	663	idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
	664	if (idx != -1)
	665	return sk_X509_VERIFY_PARAM_value(param_table, idx);
	666	}
e19106f5 DSH	667	return OBJ_bsearch_table(&pm, default_table,
e19106f5 DSH	668	sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
5d7c222d DSH	669	}
	670
	671	void X509_VERIFY_PARAM_table_cleanup(void)
	672	{
	673	if (param_table)
	674	sk_X509_VERIFY_PARAM_pop_free(param_table,
	675	X509_VERIFY_PARAM_free);
	676	param_table = NULL;
	677	}